Rogue security software programs, also known as misleading applications or scareware, are programs that pretend to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provide the user with little or no protection whatsoever. Well known examples of rogue security software include AntiVirus 2009, Malware Defender 2009, and System Guard 2009.
The recently published Symantec Report on Rogue Security Software includes a discussion on a number of servers that Symantec observed hosting these misleading applications from July to August 2009....
A while back I came across an article about a website that tries to reunite lost photos with their owners. People who come across cameras, memory sticks, or photos are asked to upload a few of them onto the site with information such as location, date, or other specific details that may be recognizable by the owner. These photos are public to everyone on the Internet and the goal of the website is for people to browse through the pictures and to connect the photographer back to the photos.
While I can appreciate the spirit of the site, as a security person, I'm very skeptical about introducing a found memory stick or photo memory card into my computer. As noted in the ISTR XIII, memory sticks (or USB thumb flash drives) represent a serious security concern...
Recently, during her vacation to visit me, my sister forgot her cell phone and had to use her credit card in a pay phone to call me. Later that day, she tried to use the same credit card to check into her hotel and it was declined. After calling the credit card company, the man on the phone informed her that criminals often test stolen credit cards in pay phones to verify if it is still valid. Credit card companies know this and instantly put a hold on the card when this occurs.
Of course, this doesn't bode well for the criminal. They have checked if the card works and by doing so, it has been flagged and possibly deactivated. What is a criminal to do? What other methods can they use to verify the validity of the card but yet, still be able to buy that limited edition R2D2 DVD projector after the process? In a previous blog...
It is very easy to post your public information onto socialnetworking sites. It took me less than five minutes to create andactivate my account and half an hour to populate the data with mybirthday, my home town, my status, my education, and my likes (puppies)and dislikes (chicken balls with red sauce). In another half hour, Iwas able to upload pictures of my Asia trip, my friends and family, andeven my Hello Kitty small kitchen appliance collection.
But, it's not so easy to remove personal information off these sites. In a recent BBC articleit was shown that users on a popular social networking site who, afterterminating their accounts, found it difficult to delete personalinformation. A popular social networking site states that "Deactivationwill completely remove your profile and all...
Go on any security Web site and their bestpractices state that you should “never view, open, or execute any emailattachment unless the attachment is expected and the purpose of theattachment is known.” But what if it’s your job to open attachments?
In this day and age, human resources (HR) managers post job openingsonline to get the widest possible distribution. Gone are the days ofnewspaper ads and window postings; managers want to attract as manyqualified applicants as possible and Web postings are inexpensive andeffective. This may be one reason why HR is a weak link in the securityof a company. Many companies prompt applicants to email their resumeand cover letter directly to the HR department or a specific manager. Iwent to a dozen international company sites and found that half of themhad the same application process.
There’s been a lot of coverage on the FBI Bot Roast II campaignwhere they released information about eight suspects who have beenindicted for conducting criminal botnet activity. Bot herder suspectsfrom across the United States have been linked to criminal activitiessuch as DDoS attacks, conducting multi-million dollar phishing andspamming scams, and in particular stealing personal information thatcould lead to identity theft.
Thousands of pieces of personal information are sold and traded inunderground economy servers found in Internet relay chat (IRC) rooms.When I look around the servers that we monitor, it reminds me ofCauseway Bay at night in Hong Kong. Large advertisements bombard youwith capital letters and carders repeat their sales pitches acrossmultiple lines to attract people to their bargains. They list off theirbest deals and even offer cheaper prices if...
When I logged into my online banking Website last week, the login screen was different than what I was used to.My first reaction was that I had been hacked and the site was a spoof(a consequence of working in this field). Once I realized that it wasin fact the genuine login screen, I proceeded to enroll in the bank’snewly enhanced sign-in security.
The concept is pretty easy; banks realize that card numbers and PINsare not enough to verify someone’s identity so they have added extralayers of security. To set up the enhanced login process, users areasked to pick an image and to type in a phrase. For example, a usercould select the image of a green apple and the phrase “The fox is inthe hen house.” These will be displayed to the user whenever they entertheir bank card number so that they can verify the legitimacy of thesite. Users are then asked to select three pre-determined questions andenter the answers. If the user logs into their online banking from...
Some people are very willing to give uppersonal information and most aren’t aware how much they are revealing.From social networking sites to personal Web pages to email, strangersnow have access to more personal information than ever before. Look atany person’s page on a social networking site and you can seeinformation ranging from first name, last name, address, email address,phone numbers, birthday, photos, employers, education, well, you getthe point.
So why would letting the world know inconsequential information suchas my dog’s name be so dangerous? Most users have passwords taken fromtheir personal lives such as educational institutions, favorite hockeyteam (Go Leafs Go), pets' names (Fluffy),or even family members’ names. Or, when a user forgets the password totheir email, the email program asks them a...
It's got Paul Anka's guarantee…guarantee void in Tennessee
One of my favorite Napoleon Dynamite scenes is when Napoleon and Kipare watching music videos and Napoleon says, “This is pretty much theworst video ever made”. Kip’s reply is “Napoleon, like, anyone can evenknow that.”
It’s true. How can you substantiate someone’s claim that they arethe worst, the best, the most user-friendly, or simply the only systemthat your company will ever need. Some people blindly put their trustinto companies without authenticating their claims. Just because acompany advertises for an “explosion-proof computer”,“unique, very efficient, non-algorithmic based encryption,” or“guaranteed secure credit cards,” doesn’t mean caveats don’t exist.Fat-free doesn’t necessary imply zero fat; it just means there is lessthan 0.5 g of fat per serving.
Recently, I came across a publication by Tews, Weinmann and Pyshkinthat describes an attack, called aircrack-twp, which can recover a104-bit WEP key in less than 60 seconds. WEP (Wired Equivalent Privacy)is a protocol used for securing wireless LANs (WLANs) that use the RC4stream cipher to encrypt transmitted packets under a common key.
The RC4 stream cipher is at the heart of the WEP protocol and is oneof the most widely used stream ciphers in the world due to itssimplicity and compact software implementation. Packets of informationare encrypted using the following method: A 24-bit initializationvector (IV) is chosen for each packet which is concatenated with thesecret 104-bit RC4 common key to form the 128-bit per packet or sessionkey. The per-packet key is encrypted through the RC4 stream cipher toproduce a pseudo-random keystream. Note that, since each packet has adifferent IV, the RC4...
